Modernising Desktop Management – Part 2
Modern Desktop Management – Windows 10
In the first part of this series, I outlined the components of the modern desktop experience:
- Windows 10
- Office 365 ProPlus
- Cloud Management
In this second part, I am going to provide an overview of how Windows 10 is different from its predecessors.
Windows as a Service (WaaS)
The most significant component of WaaS is that updates to the Operating System no longer come as a single major update that Microsoft release to businesses every 3-4 years (with a few exceptions, Windows XP to Windows Vista comes to mind!). Windows 10 now has a regular release cycle, two major “feature” updates a year, and monthly “quality” updates that include security updates and bug fixes.
With Windows 10, Microsoft will release two major feature updates a year, one around March, and the other around September. These are commonly referred to as the xx03 and xx09 releases, where xx is replaced by the year. At the time this blog post was written, the most recent version was 1909.
Feature updates are more significant updates to the OS. They include new capabilities, both for IT Admins, and new end-user features.
These updates also typically coincide with a new ISO version that can be downloaded from the various Microsoft services and used as installation media for USB, WDS, MDT and SCCM deployments.
Unlike earlier versions of Windows, Microsoft support the new releases for a specific period:
- Organisations running Pro versions get only 18 months for both xx03 and xx09 releases.
- Organisations that have licenses to Windows Enterprise, get the additional benefit of up to 30 months for features in xx09 releases
Once these periods elapse Microsoft will stop releasing any further Quality updates for that version of Windows and organisations must update to a newer supported release to receive OS patches.
With earlier versions of Windows, Microsoft would release security and bug fixes for the OS individually, and IT admins could select which updates to deploy to their devices. While this was good for Admins when Microsoft released an update that broke a capability they relied on, it was not practical for Microsoft to test every possible combination of updates that was deployed to a device. Now Microsoft provides a monthly cumulative update.
Monthly quality updates are cumulative; thus, they include all updates Microsoft have developed for that version since Microsoft released it. The use of cumulative updates dramatically simplifies the process of getting a Windows device up-to-date when deploying a new system, but also provides Microsoft with a more predictable base to test updates for before releasing them to end-users.
With the new release cadence of Windows, it is more necessary to define how feature updates are deployed. To help manage feature update releases Microsoft provide reference points called Update Branches, these branches serve to denote where Microsoft place feature updates in terms of a rollout to all managed Windows devices worldwide:
The current branches, in order of release cycle, are:
- Windows Insider – Fast Ring
- Windows Insider – Slow Ring
- Windows Insider – Release Preview
- Semi-Annual Channel (Targeted)
- Semi-Annual Channel
- Long-Term Servicing Branch
So what is the difference between all these branches, and which should you choose for your end-users and devices?
Windows Insider – Fast Ring
The Windows Insider – Fast Ring is the first preview Microsoft makes available to the public for testing, and it is usually meant for enthusiasts to test and comment on new features and to provide early identification of bugs within a new OS release.
Microsoft recommends that the Fast Ring releases are used on testing devices only where a 2nd device running a more stable OS can be accessed when users encounter significant bugs.
Windows Insider – Slow Ring
The Windows Insider – Slow Ring is the 2nd preview of a new Windows version that Microsoft makes available to the public. The Windows Insider – Slow Ring is usually (but not always) based on a previous fast-ring release where Microsoft has developed bug fixes. The Slow Ring releases are often a more stable preview release than the Fast Ring however, it is still a preview release.
Like the Fast Ring, Microsoft does not recommend that the Slow Ring releases are used for everyday use and only when you have a spare PC available.
Windows Insider – Release Preview
Release Previews are the final preview release of a new Windows OS version before being rolled out to everyday users. Microsoft use the Release preview versions to gather final quality testing before it is made generally available to the public. Release Preview is usually released about 1 month before the General Availability of a new Windows version.
Usually when a version reaches the Release preview stage, Microsoft will only apply minor updates to resolve known issues before it is released to end-users. The Release Preview is usually ready for most end-user needs; however, bugs may still be identified that need to be resolved.
Semi-Annual Channel (Targeted)
The Semi-Annual Channel (Targeted) release (formerly known as the Current Branch release) is the version of Windows made available generally to the public, for Windows 10 Home and Pro versions not managed by an organisation (not AD/AAD joined). The Semi-Annual (Targeted) channel is the first version released to end-users. The Semi-Annual (Targeted) channel is first made available to Home, non-business critical users first, to help ensure that the majority of the remaining bugs are identified and resolved before it is released to the Semi-Annual Channel.
Microsoft support he Semi-Annual (Targeted) channel for consumers, for 18 months and their ability to delay updates is more limited than businesses.
Microsoft recommends that when new versions are released to the Semi-Annual (Targeted) channel that a small set of IT and trainers are updated that release. The deployment of the new version to a small subset of users gives the organisation a head start on testing new Windows features and preparing users for the changes coming in the next Windows release.
The Semi-Annual Channel is the prime channel that Microsoft recommends for everyday business use. A version of Windows is typically moved to the Semi-Annual channel after it has been in the Targeted channel for approximately 4 months.
Once Microsoft move a release to the Semi-Annual channel, they believe most breaking issues have been identified and resolved and that for most common business scenarios it is ready for deployment. Typically, an organisation should try and roll out the Semi-Annual channel to a small percentage of business users for 1-2 months before expanding their deployment to the broader user population.
If however, an organisation is not ready for a new release of Windows, the deployment can be delayed for a period of up to 365 when using Windows Update for Business. Microsoft will provide Enterprise Editions of Windows 10 quality updates for 18 months on the xx03 release, and 30 months for the xx09 releases.
Long-Term Servicing Branch
Microsoft recommends the Long-Term servicing branch for mission-critical workloads, or devices that have a long service life, such as ATMs, where updating to a new version every 30 months is not possible because of the distributed, disconnected nature.
The Long-Term servicing branch is limited in various ways, including no support for the Modern Apps and the Windows Store.
This version of Windows is released every 2-3 years, and is supported by Microsoft for 5 years standard, and 5 years extended support.
Microsoft recommends the Long-Term servicing branch for specific workloads only, and not for the general user population.
Windows Update for Business
With the change in how updates are released, comes a change in how admins can manage the deployment.
For organisations still running SCCM or Windows Server Update Services (WSUS), you can still use these tools to approve and deploy updates to managed devices; however a new method is now available referred to as Windows Update for Business policies
Windows Update for Business policies allow an admin to configure various settings including:
- The Update Branch to which a device belongs.
- The period for which either Feature or Quality updates are deferred:
- An organisation can defer Feature Updates for up to 365 days.
- An organisation can defer Quality Updates for up to 30 days.
- The inclusion of updates from the Microsoft Update service (eg, SQL Server Management Studio, Visual Studio, etc).
- The inclusion of Windows Driver updates.
- Update windows, and forced update behaviour
- Removal windows for a recently installed update
With a Windows Update for Business policy, it is often recommended to have a few general update rings as follows (your configuration may vary, but this is a good starting point):
|Ring||User Base||Channel||Update Deferral||Reason|
|Ring 1 – Prerelease||A small selection of IT and trainers||Semi-Annual (Targeted)||Feature: 0-30 days|
|Test and evaluate new features before release to the rest of the user base|
|Ring 2 – Pilot Users||A selection of up to 5% of the standard user population||Semi-Annual||Feature: 30-60 days|
|Test OS and first to receive quality updates|
|Ring 2 – Standard Users||The bulk of the user population||Semi-Annual||Feature: 120+ days|
Quality: 15 days
|Receive updates after the pilot users, usually after most issues are identified|
An additional change Microsoft has recently made is the introduction of the Microsoft 365 license, which now includes a per-user based subscription license including all the component parts to ensure Information Workers and Frontline workers can be productive. With the Microsoft 365 license, an organisation no longer needs to purchase the separate licenses to have complete coverage of most productivity scenarios, where historically an organisation would purchase:
- Windows 10 licenses
- Office 365 Subscriptions
- Enterprise Mobility & Security (EMS) Subscriptions
Now an organisation can buy a single Microsoft 365 license per user and achieve affective coverage for the most frequent and everyday productivity needs.
Like Office 365 and the EMS suites, Windows Enterprise license can be purchased separately, and have a similar assignment, tracking and online activation capabilities as Office 365. Now devices that are never inside the corporate network can activate based on user subscription state, rather than needing to manage various Multi Activation Keys for these devices.
How do I get started?
Whether you’ve already deployed Windows 10 and are looking to simplify your management or if you’ve yet to start deploying, we can help. Talk to us about how to migrate to Windows 10 and our Windows 10 MDM Workshop.
Andrew has fourteen years of experience working with small and large environments, designing and implementing technology solutions using various technologies including, Azure Active Directory, Exchange Online, Microsoft Intune, Microsoft Endpoint Manager Configuration Manager, Active Directory and many others.
Nearly 18 months ago, we were delighted to welcome Mirus IT to the Content+Cloud family, as our centre of excellence serving small and medium-sized businesses. Now they are taking another step in their amazing journey with a new look, and a new website, but the same...read more
Leading UK technology providers come together Back in June 2020 we made the announcement that we were part of a new group brand. From today, Content and Code begins officially functioning as Content+Cloud! Content+Cloud is the integration of both Content and Code and...read more
A Helicopter Tour of Intune, MAM, MDM and Conditional Access As an IT pro, you’re likely juggling conflicting interests, especially when it comes to end-user device management. How do you ensure that your users can work from anywhere while protecting your company’s...read more